I’m generally a tolerant and easy going sort of person. There’s a fairly short list of things that get my goat. For instance, our local doctors surgery has a call queuing system with 6 different options. However, I know for a fact that there’s only one person working in the reception and that regardless of which button you press (press 1 for a long wait etc etc) after about 12 rings you’ll get through to her. How pointless is that? Our home phone number is fairly similar to a local pizza take-away place. At least a few times a week I’ll take orders. Sometimes, I tell the caller that I’ve got no pizza left but they are welcome to have some of what I’m having…
The information security industry can be similarly infuriating at times. Here’s a short paragraph on each of the five things that wind me up the most:
1. Security awareness programs
A whole cottage industry of consultants and websites has been built up around the perceived need to educate company employees about information security. It’s all a waste of time and money. Certain individuals will point to a reduction in the number of lost laptops as a measure of success, or an increase in the number of people who can correctly click “a). All policies are on the Intranet” in a multiple choice questionnaire. The fact is that security awareness programs are received within the organisation with about as much enthusiasm as a plate of sick. The key to good information security is strong governance, good communication and well managed, decent processes. Security awareness programs sap energy and resources, and have little positive effect. Drop them.
2. Compliance = security
Nothing reduces the security status of a business faster than a blind determination to achieve compliance with a policy or a new regulation. PCI is the obvious one, with whole armies of “Qualified Security Assessors” driving their company Mondeos up and down the motorways of England en-route to the next company that’s fallen into the trap of believing that so long as they can tick all the right boxes they are protected as if covered by some magic force-field. Having the certificate that says “compliance” tells you nothing more than that on the day the assessor came, you had the right combination of smoke and mirrors in place to pass the test. Information security is not a compliance project. It’s an ongoing program without an end-date.
3. Risk modelling
Many “experts” preach the importance of working through risk models. It’s a load of tosh. No matter which way you try to do it, you’ll always come out with the answer you first thought of. You might as well use a crystal ball and read tarot cards. Nobody needs to work through a complex risk model to understand
that if a retail website suffers a denial of service that it’ll have
some financial consequences, or that if the internet
connection is lost that there wont be access to the..er..Internet. I’ve got better, more constructive and practical ways to spend my day than conspiring over risk models. Much more relevant is threat modelling – understand your systems and know the business so that you can make relevant risk-based decisions.
4. Where are all the analysts
Here are two examples of what I mean. i) A vendor does a “penetration test” of a web site (I use the term loosely because these days most pen tests seem to involve little more than pressing a button labelled “scan now”) and sends you a report highlighting several “High Risk” issues. On closer inspection you discover that most of them are either false positives, or irrelevant. ii) A network scan report is given to a newly CISSP qualified security analyst and he’s asked to review it as part of a job interview. He spots the obvious highlighted security holes but doesn’t question why a web server has non-standard ports open. Are we becoming too reliant on auto-scan reports? Security analysts need to be inquisitive, well practiced in basic technical skills, able to spot anomolies, and not afraid to question things that don’t look right. The scan results never tell the full story!
5. It’s not my fault
The first 9 years of my working life were spent in the Royal Air Force where I enlisted as an Assistant Air Traffic Controller. I learnt a few useful things out of that: how to make a good cup of tea, write backwards on a plastic board with a chinagraph , and operation of a mumeter, being three that will stick in my mind. Most important of all though was the lesson that excuses don’t count. Only results. There’s an evolving culture of making excuses for poor results. Lack of time, lack of resource, lack of training, lack of ability to think of a decent answer. All it shows is a lack of imagination, planning and initiative on the part of the person making the excuse. If you get something wrong it’s your fault. Admit it and learn from it.